NEWS
IN BRIEF Microsoft to use HSMs Microsoft software will use nCipher hardware security modules (HSMs) and timestamping technology for authentication. It enables developers to prove the software has not been tampered with.
Systems supporting US-VISIT. Source: GAO.
delete, add, and modify sensitive information, including personally identifiable information, and disrupt the operations of the US-VISIT program. “As the federal government strives to integrate information on the entry and exit from the United States of foreign nationals, it is critical that the computer systems that support US-VISIT are properly protected through strong information security controls since a security breach could have a direct impact on our homeland and the security of US citizens.” For more information visit: http://www.gao.gov
Report demands UK security overhaul
securing personal information “disturbing.” The report said: “We recommend that the Government review as a matter of urgency their decision to require online frauds to be reported to the banks in the first instance. We believe that this decision will undermine public trust in both the police and the Internet. It is essential that victims of E-crime should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed in exchange. We see no reason why such reports should not be made online, processed and forwarded to the banks automatically.” Banks should also be held liable for losses incurred through electronic fraud according to the research.
The Personal Internet Security report, published on 10 August, demands a radical overhaul of how the UK reacts to IT security. Many of the suggestions are modeled on the US model of transparent reporting of incidents and on its public fraud hotline run by IC3.
Incident notification The report also called for a security incident notification law in line with US legislation. A data security breach should be adequately defined and take into account the sensitivity of lost data advises the report. And a mandatory central reporting system should be established. The authors say that a data security breach notification law would be “among the most important advances that the United Kingdom could make in promoting personal Internet security”.
Counting on banks The report branded the refusal of banks, in particular, to accept responsibility for
Make vendors pay More blue-sky suggestions include making IT vendors liable for insecure
T
he UK Science and Technology Committee has called for the government to reverse its law requiring online fraud to be reported to banks in the first instance.
September 2007
Torrentspy to block US IP addresses Digital content site TorrentSpy says it will block US originating IP addresses rather than surrender server logs to US authorities. The Motion Picture Association of America (MPAA) alleges TorrentSpy broke copyright laws in allowing users to download digital content. TorrentSpy said that retrieving the data demanded by authorities would breach its users’ privacy policy. Scams trick one fifth of Internet users One fifth of online Web surfers in the US have suffered at least one Internet scam according to Microsoft commissioned research. About 81% of adults admitted they compromised their personal Internet security by opening a suspect-looking email. And the survey also revealed different levels of knowledge regarding online fraud between the sexes. More men (47%) claim to know about online fraud than woman (36%). However more woman (69%) claim they have never been a victim of an Internet scam compared with 63% of men. Westpac bank customers not liable for online fraud Customers of Westpac Bank in New Zealand will not be liable for money lost due to online fraud, the firm has announced. The practice is contrary to the New Zealand Bankers’ Association’s normal procedure. Virtual security officers patrol chinese websites Virtual figures will appear on users’ screens in China to remind them of Internet security every 30 minutes. They will appear on news portals and Beijing sites and forums. The officers will appear on foot, on motorbikes or in a car. According to the China Daily newspaper they will be “on watch for websites that incite secession, promote superstition, gambling and fraud.”
Computer Fraud & Security
3
NEWS software. The report says in the short term this would apply if negligence could be demonstrated. Vendors, ISPs, the Government, police and the private sector should all do more according to the authors. “The Government have insisted in evidence to this inquiry that the responsibility for personal Internet security ultimately rests with the individual,” said the report. “This is no longer realistic, and compounds the perception that the Internet is a lawless “wild west”. It is clear to us that many organizations with a stake in the Internet could do more to promote personal Internet security.” ISPs should monitor and detect outgoing traffic from customers. They should lose their ‘mere conduit’ defense for carrying illegal traffic when they have been told they are transiting spam or malicious code – giving affected parties the chance to win damages. The UK Science and Technology Committee, which is made up of parliamentarians, also recommended that steps be taken to improve the knowledge of e-crime in the court system. Other recommendations include: • Criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put. • The Government in partnership with the Association of Chief Police Officers and the Serious Organized Crime Agency, develop a unified, Web-based reporting system for e-crime. • Establish network of computer forensic laboratories. • Establish police central e-crime unit.
4
Computer Fraud & Security
• Ratify the Council of Europe Cybercrime Convention. • Allocate more resources to the Information Commissioners Office, which is handicapped by a lack of funds and powers.
Man pleads guilty to illegally posting US hit show 24
A
man has pleaded guilty of posting the first four episodes of popular US TV show 24 on the Internet before the episodes were aired on the Fox television network.
Jorge Romero, (25), who lives in Chicago, has admitted uploading two episodes of 24 to the LiveDigital.com website on 6 January – eight days before the show was broadcast on Fox. He has also admitted uploading a further two episodes to the same website on 7 January. Romero also said he publicised the available episodes by posting links to them on other sites such as Digg.com. Fox discovered the yet-to-be-aired versions on LiveDigital.com before the official release date. Law enforcement agents obtained a warrant to search Romero’s home after the accounts used to upload the episodes were linked to him. Romero’s computer provided evidence of his uploads and he also acknowledged the scheme. Fox says it has lost US$4 million because of the early postings of 24. Romero pleaded guilty to uploading copyrighted material to a publicly accessible computer network knowing the work was intended for commercial distribution, a felony that carries a
statutory maximum sentence of three years in federal prison
NIST tackles Web Services
T
he US National Institute of Standards and Technology (NIST) has issued guidelines on how to secure Web services.
NIST points out that Web service security standards do not make Web services robust, secure and reliable enough on their own. Denial-ofservice attacks in particular, are not dealt with thoroughly according to the SP-800 Guide to Secure Web Services. Ensuring the availability of Web services is a constant problem, but load balancing and clustering can help protect against downtime said the guide. Defense-in-depth, through security engineering, secure software development and risk management can contribute to making the applications more secure. “The security challenges presented by the Web services approach are formidable and unavoidable,” says NIST. The top threats facing Web services according to WS-I are: • • • • • • • • •
Message alteration. Loss of confidentiality. Falsified messages. Man in the middle. Principal spoofing. Forged claims. Replay of message. Replay of message parts. Denial-of-service.
For more information visit: http://csrc.nist.gov/publicatons/ nistpubs/800-95/SP80095.pdf
September 2007